Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Certificate policy examples

Focus mode
Certificate policy examples - AWS IoT Core

For devices registered in AWS IoT Core registry, the following policy grants permission to connect to AWS IoT Core with a client ID that matches a thing name, and to publish to a topic whose name is equal to the certificateId of the certificate the device used to authenticate itself:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] }

For devices not registered in the AWS IoT Core registry, the following policy grants permission to connect to AWS IoT Core with client IDs, client1, client2, and client3 and to publish to a topic whose name is equal to the certificateId of the certificate the device used to authenticate itself:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] }

For devices registered in AWS IoT Core registry, the following policy grants permission to connect to AWS IoT Core with a client ID that matches the thing name, and to publish to a topic whose name is equal to the subject's CommonName field of the certificate the device used to authenticate itself:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] }
Note

In this example, the certificate's subject common name is used as the topic identifier, with the assumption that the subject common name is unique for each registered certificate. If the certificates are shared across multiple devices, the subject common name is the same for all the devices that share this certificate, thereby allowing publish privileges to the same topic from multiple devices (not recommended).

For devices not registered in AWS IoT Core registry, the following policy grants permission to connect to AWS IoT Core with client IDs, client1, client2, and client3 and to publish to a topic whose name is equal to the subject's CommonName field of the certificate the device used to authenticate itself:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] }
Note

In this example, the certificate's subject common name is used as the topic identifier, with the assumption that the subject common name is unique for each registered certificate. If the certificates are shared across multiple devices, the subject common name is the same for all the devices that share this certificate, thereby allowing publish privileges to the same topic from multiple devices (not recommended).

For devices registered in the AWS IoT Core registry, the following policy grants permission to connect to AWS IoT Core with a client ID that matches the thing name, and to publish to a topic whose name is prefixed with admin/ when the certificate used to authenticate the device has its Subject.CommonName.2 field set to Administrator:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] }

For devices not registered in AWS IoT Core registry, the following policy grants permission to connect to AWS IoT Core with client IDs client1, client2, and client3 and to publish to a topic whose name is prefixed with admin/ when the certificate used to authenticate the device has its Subject.CommonName.2 field set to Administrator:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] }

For devices registered in AWS IoT Core registry, the following policy allows a device to use its thing name to publish on a specific topic that consists of admin/ followed by the ThingName when the certificate used to authenticate the device has any one of its Subject.CommonName fields set to Administrator:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/${iot:Connection.Thing.ThingName}"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] }

For devices not registered in AWS IoT Core registry, the following policy grants permission to connect to AWS IoT Core with client IDs client1, client2, and client3 and to publish to the topic admin when the certificate used to authenticate the device has any one of its Subject.CommonName fields set to Administrator:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] }
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.